Continue your learning journey with Devops Wala through online

Courses & Programs

Continue your learning journey with DevOps Wala through our online courses, designed to equip you with cutting-edge skills in DevOps methodologies, tools, and practices. Gain hands-on experience and accelerate your career in the dynamic world of DevOps.

The Docker course provides a comprehensive introduction to containerization, offering hands-on experience with Docker’s powerful platform.

The Kubernetes course imparts expertise in orchestrating and managing containerized applications at scale, covering deployment, scaling, and automation within Kubernetes clusters.

Empower your skills with our Linux course, mastering command-line expertise, system administration, and advanced concepts for effective server management.

Elevate your IT automation proficiency with our Ansible course, encompassing playbooks, roles, and dynamic inventory for streamlined and efficient configuration management.

The Certified Kubernetes Administrator (CKA) exam assesses candidates’ ability to deploy, manage, and troubleshoot Kubernetes clusters. It covers topics such as cluster architecture, networking, security, and application lifecycle management.

CKAD: NetworkPolicy

Question: There are 3 Pods, “web”, “db” and “ckad-netpol-newpod”, are running under namespace ckad-netpol.

Task: Pod ckad-netpol-newpod in the ckad-netpol namespace to use a NetworkPolicy allowing the Pod to send and receive traffic only to and from the pods web and db.

You must not create, modify, delete any network policy while working on this task.

 

Step 1. How to create the Lab (creating namespace, pods and NetworkPolicies)?

  • Create the namespace
kubectl create namespace ckad-netpol
  • Create the 3 pods
kubectl -n ckad-netpol run web --image=nginx --port=80

kubectl -n ckad-netpol run db --image=nginx --port=80

kubectl -n ckad-netpol run ckad-netpol-newpod --image=nginx --port=80 --labels="env=newpod"
You can also verify the pods. 
kubectl -n ckad-netpol get pods -o wide --show-labels

+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
[root@master1 ~] kubectl -n ckad-netpol get pods -o wide
NAME READY STATUS RESTARTS AGE IP NODE NOMINATED NODE READINESS GATES
ckad-netpol-newpod 1/1 Running 1 (10m ago) 21h 172.16.14.103 workernode2.example.com <none> <none>
db 1/1 Running 1 (10m ago) 21h 172.16.14.104 workernode2.example.com <none> <none>
web 1/1 Running 1 (14m ago) 21h 172.16.133.165 workernode1.example.com <none> <none
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

Create the NetworkPolicies

cat <<EOF | kubectl apply -f -
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: default-deny-all
namespace: ckad-netpol
spec:
podSelector: {}
policyTypes:
- Ingress
- Egress
EOF

cat <<EOF | kubectl apply -f -
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: web-netpol
namespace: ckad-netpol
spec:
podSelector:
matchLabels:
run: web
policyTypes:
- Ingress
- Egress
ingress:
- from:
- podSelector:
matchLabels:
env: db
egress:
- to:
- podSelector:
matchLabels:
env: db
EOF


cat <<EOF | kubectl apply -f -
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: db-netpol
namespace: ckad-netpol
spec:
podSelector:
matchLabels:
run: db
policyTypes:
- Ingress
- Egress
ingress:
- from:
- podSelector:
matchLabels:
run: web
egress:
- to:
- podSelector:
matchLabels:
run: web
EOF


cat <<EOF | kubectl apply -f -
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: allow-all
namespace: ckad-netpol
spec:
podSelector:
matchLabels:
env: newpod
policyTypes:
- Ingress
- Egress
ingress:
- from:
- podSelector:
matchLabels:
env: newpod
egress:
- to:
- podSelector:
matchLabels:
env: newpod
EOF

Now, our lab is setup and it is really helpful when we do the practice at home
Step 2. How to validate (Pre-check)

kubectl -n ckad-netpol exec -it ckad-netpol-newpod -- curl web_POD_IP --connect-timeout 3
kubectl -n ckad-netpol exec -it ckad-netpol-newpod -- curl db_POD_IP --connect-timeout 3
kubectl -n ckad-netpol exec -it web -- curl ckad-netpol-newpod_IP --connect-timeout 3
kubectl -n ckad-netpol exec -it db -- curl ckad-netpol-newpod_IP --connect-timeout 3

Step 3. How to check what NetworkPolicies are created in this NameSpace?

 

[root@master1 ~] kubectl -n ckad-netpol get netpol
NAME POD-SELECTOR AGE
allow-all app=newpod 46s
db-netpol app=db 4m20s
default-deny-all <none> 113m
web-netpol app=web 4m20s

Let’s describe the network policy one by one and identify the NetworkPolicy which is bind for pod “ckad-netpol-newpod”.

[root@master1 ~]# kubectl -n ckad-netpol describe netpol allow-all 
Name: allow-all
Namespace: ckad-netpol
Created on: 2025-03-17 22:23:58 +0530 IST
Labels: <none>
Annotations: <none>
Spec:
PodSelector: env=newpod ## This policy is bind with POD "ckad-netpol-newpod" because it has lable "env=newpod"
Allowing ingress traffic:
To Port: <any> (traffic allowed to all ports)
From:
PodSelector: app=newpod ## Pod which has label "env=newpod", can receive the traffic from pod which has label "app=newpod"
Allowing egress traffic:
To Port: <any> (traffic allowed to all ports)
To:
PodSelector: app=newpod ## Pod which has label "env=newpod", can send the traffic to pod which has label "app=newpod"
Policy Types: Ingress, Egress

How to add the labels 💡💡

kubectl -n ckad-netpol label pods db env=newpod
kubectl -n ckad-netpol label pods web env=newpod

kubectl -n ckad-netpol get pods --show-labels -o wide

Perform the post checks.

 

kubectl -n ckad-netpol exec -it ckad-netpol-newpod -- curl web_POD_IP --connect-timeout 3
kubectl -n ckad-netpol exec -it ckad-netpol-newpod -- curl db_POD_IP --connect-timeout 3
kubectl -n ckad-netpol exec -it web -- curl ckad-netpol-newpod_IP --connect-timeout 3
kubectl -n ckad-netpol exec -it db -- curl ckad-netpol-newpod_IP --connect-timeout 3

How to delete the lab 👈👈👈

kubectl -n ckad-netpol delete netpol allow-all db-netpol default-deny-all web-netpol 
kubectl -n ckad-netpol delete pods ckad-netpol-newpod db web
kubectl delete namespaces ckad-netpol
StatefulSet
Linux Foundation discount exam coupons
Configure Memory and CPU Quotas for a Namespace
CKAD: NetworkPolicy

Question: There are 3 Pods, “web”, “db” and “ckad-netpol-newpod”, are running under namespace ckad-netpol.

Task: Pod ckad-netpol-newpod in the ckad-netpol namespace to use a NetworkPolicy allowing the Pod to send and receive traffic only to and from the pods web and db.

You must not create, modify, delete any network policy while working on this task.

 

Step 1. How to create the Lab (creating namespace, pods and NetworkPolicies)?

  • Create the namespace
kubectl create namespace ckad-netpol
  • Create the 3 pods
kubectl -n ckad-netpol run web --image=nginx --port=80

kubectl -n ckad-netpol run db --image=nginx --port=80

kubectl -n ckad-netpol run ckad-netpol-newpod --image=nginx --port=80 --labels="env=newpod"
You can also verify the pods. 
kubectl -n ckad-netpol get pods -o wide --show-labels

+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
[root@master1 ~] kubectl -n ckad-netpol get pods -o wide
NAME READY STATUS RESTARTS AGE IP NODE NOMINATED NODE READINESS GATES
ckad-netpol-newpod 1/1 Running 1 (10m ago) 21h 172.16.14.103 workernode2.example.com <none> <none>
db 1/1 Running 1 (10m ago) 21h 172.16.14.104 workernode2.example.com <none> <none>
web 1/1 Running 1 (14m ago) 21h 172.16.133.165 workernode1.example.com <none> <none
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

Create the NetworkPolicies

cat <<EOF | kubectl apply -f -
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: default-deny-all
namespace: ckad-netpol
spec:
podSelector: {}
policyTypes:
- Ingress
- Egress
EOF

cat <<EOF | kubectl apply -f -
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: web-netpol
namespace: ckad-netpol
spec:
podSelector:
matchLabels:
run: web
policyTypes:
- Ingress
- Egress
ingress:
- from:
- podSelector:
matchLabels:
env: db
egress:
- to:
- podSelector:
matchLabels:
env: db
EOF


cat <<EOF | kubectl apply -f -
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: db-netpol
namespace: ckad-netpol
spec:
podSelector:
matchLabels:
run: db
policyTypes:
- Ingress
- Egress
ingress:
- from:
- podSelector:
matchLabels:
run: web
egress:
- to:
- podSelector:
matchLabels:
run: web
EOF


cat <<EOF | kubectl apply -f -
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: allow-all
namespace: ckad-netpol
spec:
podSelector:
matchLabels:
env: newpod
policyTypes:
- Ingress
- Egress
ingress:
- from:
- podSelector:
matchLabels:
env: newpod
egress:
- to:
- podSelector:
matchLabels:
env: newpod
EOF

Now, our lab is setup and it is really helpful when we do the practice at home
Step 2. How to validate (Pre-check)

kubectl -n ckad-netpol exec -it ckad-netpol-newpod -- curl web_POD_IP --connect-timeout 3
kubectl -n ckad-netpol exec -it ckad-netpol-newpod -- curl db_POD_IP --connect-timeout 3
kubectl -n ckad-netpol exec -it web -- curl ckad-netpol-newpod_IP --connect-timeout 3
kubectl -n ckad-netpol exec -it db -- curl ckad-netpol-newpod_IP --connect-timeout 3

Step 3. How to check what NetworkPolicies are created in this NameSpace?

 

[root@master1 ~] kubectl -n ckad-netpol get netpol
NAME POD-SELECTOR AGE
allow-all app=newpod 46s
db-netpol app=db 4m20s
default-deny-all <none> 113m
web-netpol app=web 4m20s

Let’s describe the network policy one by one and identify the NetworkPolicy which is bind for pod “ckad-netpol-newpod”.

[root@master1 ~]# kubectl -n ckad-netpol describe netpol allow-all 
Name: allow-all
Namespace: ckad-netpol
Created on: 2025-03-17 22:23:58 +0530 IST
Labels: <none>
Annotations: <none>
Spec:
PodSelector: env=newpod ## This policy is bind with POD "ckad-netpol-newpod" because it has lable "env=newpod"
Allowing ingress traffic:
To Port: <any> (traffic allowed to all ports)
From:
PodSelector: app=newpod ## Pod which has label "env=newpod", can receive the traffic from pod which has label "app=newpod"
Allowing egress traffic:
To Port: <any> (traffic allowed to all ports)
To:
PodSelector: app=newpod ## Pod which has label "env=newpod", can send the traffic to pod which has label "app=newpod"
Policy Types: Ingress, Egress

How to add the labels 💡💡

kubectl -n ckad-netpol label pods db env=newpod
kubectl -n ckad-netpol label pods web env=newpod

kubectl -n ckad-netpol get pods --show-labels -o wide

Perform the post checks.

 

kubectl -n ckad-netpol exec -it ckad-netpol-newpod -- curl web_POD_IP --connect-timeout 3
kubectl -n ckad-netpol exec -it ckad-netpol-newpod -- curl db_POD_IP --connect-timeout 3
kubectl -n ckad-netpol exec -it web -- curl ckad-netpol-newpod_IP --connect-timeout 3
kubectl -n ckad-netpol exec -it db -- curl ckad-netpol-newpod_IP --connect-timeout 3

How to delete the lab 👈👈👈

kubectl -n ckad-netpol delete netpol allow-all db-netpol default-deny-all web-netpol 
kubectl -n ckad-netpol delete pods ckad-netpol-newpod db web
kubectl delete namespaces ckad-netpol
StatefulSet
Linux Foundation discount exam coupons
Configure Memory and CPU Quotas for a Namespace